Gracewipe: Secure and Verifiable Deletion under Coercion (prototypes)


To be presented at NDSS'15.

See full paper.


For users in possession of password-protected en- crypted data in persistent storage (i.e., "data at rest"), an obvious problem is that the password may be extracted by an adversary through dictionary attacks or by coercing the user. Techniques such as multi-level hidden volumes with plausible deniability, or software/hardware-based full disk encryption (FDE) cannot ade- quately address such an attacker. For these threats, making data verifiably inaccessible in a quick fashion may be the preferred choice, specifically for users such as government/corporate agents, journalists, and human rights activists with highly confidential secrets, when caught and interrogated in a hostile territory. Using secure storage on a Trusted Platform Module (TPM) and modern CPU's trusted execution mode (e.g., Intel TXT), we design Gracewipe to enable secure and verifiable deletion of encryption keys through a special deletion password. An attacker cannot distinguish between a deletion and real password. He can guess the real password to unlock the target encryption key only through the valid Gracewipe environment; guessing the deletion password will trigger deletion of the real key. When coerced, a user can fake compliance, and enter the deletion password; and then the user can prove to the attacker that Gracewipe has been executed and the real key is no longer available (through a TPM quote), hoping that a reasonable adversary then will find no reason to keep holding the victim, and may even release her. We implement two prototypes of Gracewipe: software-based FDE system with plausible deniability (using TrueCrypt with hidden volume), and hardware-based FDE (using a Seagate self- encrypting drive (SED)). Our choice of booting Windows at the end of a Gracewipe session (for the possibility of immediate adoption), poses some unique challenges. Through the design and prototypes of Gracewipe, we hope to raise awareness of a special but critical use-case of FDE systems.




Scenarios where you may need Gracewipe (not limited to):

1. Coercions (physical or juridical).

When destruction of secret is more preferable.

2. Emergent deletion.

When an adversary is close-by.


Features:

1. Undetectable deletion trigger.

Through special passwords.

2. Quick and uninterruptible deletion process.

3. Cryptographical verifiability.

Prove to the adversary that the deletion does happen and recovery is impossible.

4. Bypassing Gracewipe does NOT give access to the secret.


Important assumptions:

1. The adversary is hostile and coercive, but rational.

2. The functionality and known good "state" values of Gracewipe is publicly available.

3. The encryption mechanism that Gracewipe is built on (e.g., TrueCrypt and SED) should be reliable.

For a complete list of assumptions and unaddressed attacks, check section Threat model and assumptions in the paper.


Current two prototypes:

TrueCrypt based Gracewipe

SED based Gracewipe 


More detailed description and instructions (to come)


How to obtain the source code and help improve Gracewipe:

Please drop a note to z_lianyi(at)encs.concordia.ca.

Just note that this tool is still in its proof-of-concept stage and may not be readily deployable as other tools are. However, we welcome inquiries and would like to work together to have it work on a given system.